Creating Amazon EFS file systems - Amazon Elastic File System

Creating Amazon EFS file systems

Following, you can learn how to create an Amazon EFS file system by using the AWS Management Console and the AWS CLI.

If you're new to Amazon EFS, we recommend that you go through the Getting Started exercise. This exercise provides console-based end-to-end instructions to create and access a file system in your virtual private cloud (VPC). For more information, see Getting started.

Requirements

This section describes requirements and prerequisites for creating Amazon EFS file systems.

Creation token and idempotency

Idempotency ensures that an API request completes only once. With idempotent requests, if the original request completes successfully, subsequent requests have no additional effect. This is useful to prevent duplicate jobs from being created when you interact with the Amazon EFS API.

The Amazon EFS API supports idempotency with client request tokens. A client request token is a unique string that you specify when you make a create job request.

A client request token can be any string that includes up to 64 ASCII characters. If you reuse a client request token within one minute of a successful request, the API returns the job details of the original request.

If you use the console, it generates the token for you. If you use the Custom Create flow in the console, the creation token that is generated for you has the following format:

"CreationToken": "console-d215fa78-1f83-4651-b026-facafd8a7da7"

If you use QuickCreate to create a file system with the service recommended settings, the creation token has the following format:

"CreationToken": "quickCreated-d7f56c5f-e433-41ca-8307-9d9c0f8a77a2"

Permissions required

To create EFS resources, such as a file system and access points, you must have AWS Identity and Access Management (IAM) permissions for the corresponding API operation and resource.

Create IAM users and grant them permissions for Amazon EFS actions with user policies. You can also use roles to grant cross-account permissions. Amazon Elastic File System also uses an IAM service-linked role that includes permissions required to call other AWS services on your behalf. For more information about managing permissions for API operations, see Identity and access management for Amazon Elastic File System.

Configuration options when creating a file system

You can create a file system by using the Amazon EFS console or by using the AWS Command Line Interface (AWS CLI). You can also create file systems programmatically by using AWS SDKs or the Amazon EFS API directly.

When creating an Amazon EFS file system by using the custom create flow or the AWS CLI, you can choose settings for the following file system features and configuration options.

Storage class

Storage class determines the redundancy with which an Amazon EFS file system stores data within an AWS Region. You have the following choices for your file system's availability and durability:

  • Choosing Standard creates a file system that uses EFS Standard storage classes that store file system data and metadata redundantly across all Availability Zones within an AWS Region. You can also create mount targets in each Availability Zone in the AWS Region. Standard offers the highest levels of availability and durability.

  • Choosing One Zone creates a file system that uses EFS One Zone storage classes that store file system data and metadata redundantly within a single Availability Zone. File systems that are using EFS One Zone storage classes can have only a single mount target. This mount target must be located in the Availability Zone in which the file system is created.

    Amazon EFS One Zone storage classes store data in a single AWS Availability Zone. Therefore, data stored in these storage classes might be lost in the event of a disaster or other fault that affects all copies of the data within the Availability Zone, or in the event of Availability Zone destruction.

If you choose One Zone, you can choose the Availability Zone in which the file system is created.

Automatic backups

Automatic backups are always enabled by default when you create a file system by using the console. When you use the CLI or API to create a file system, automatic backups are enabled by default only when you are creating file systems that are using EFS One Zone storage classes. For more information, see Automatic backups.

EFS Lifecycle Management and EFS Intelligent-Tiering

EFS Intelligent-Tiering uses lifecycle management to automatically move files into and out of the lower-cost Infrequent Access (IA) storage classes based on access patterns. When you create a file system by using the AWS Management Console, the file system's lifecycle policy is configured with the following default settings:

  • Transition into IA is set to 30 days since last access.

  • Transition out of IA is set to None.

When you create a file system by using the AWS CLI, Amazon EFS API, or AWS SDKs, you cannot set a lifecycle policy at the same time. You must wait until the file system is created, and then use the PutLifecycleConfiguration API operation to update the lifecycle configuration. For more information, see Amazon EFS lifecycle management.

Encryption

You can enable encryption at rest when creating a file system. If you enable encryption at rest for your file system, all data and metadata stored on it are encrypted. You can enable encryption in transit later, when you mount the file system. For more information about Amazon EFS encryption, see Data encryption in Amazon EFS.

To create the file system mount targets in your VPC, you must specify VPC subnets. The console pre-populates the list of VPCs in your account that are in the selected AWS Region. First, you select your VPC, and then the console lists the Availability Zones in the VPC. For each Availability Zone, you can select a subnet from the list, or use the default subnet if it exists. After you select a subnet, you can either specify an available IP address in the subnet or let Amazon EFS choose an address automatically.

Throughput modes

There are three throughput modes to choose from:

  • Elastic Throughput (Recommended) – Provides throughput that scales up and down automatically in real time, to meet your workload’s performance needs.

    Note

    Elastic Throughput mode is only for use on file systems that are configured with the General Purpose performance mode.

  • Provisioned Throughput – Provides the level of throughput you specify, independent of the file system's size.

  • Bursting Throughput – Provides throughput that scales with the amount of data in EFS Standard storage on your file system.

For more information, see Throughput modes.

Note

Additional charges are associated with using the Elastic Throughput and Provisioned Throughput modes. For more information, see Amazon EFS pricing.

Performance modes

When creating a file system, you also choose a performance mode. There are two performance modes to choose from—General Purpose and Max I/O. For the majority of use cases, we recommend that you use the General Purpose performance mode for your file system. For more information, see Performance modes.

Note

For file systems that use EFS One Zone storage classes, only the General Purpose performance mode is available.

Creating a file system with custom settings by using the Amazon EFS console

This section describes the process of using the Amazon EFS console to create an EFS file system with customized settings instead of using the service-recommended settings. For more information about creating a file system by using the service-recommended settings, see Step 1: Create your Amazon EFS file system.

Creating an Amazon EFS file system with custom settings by using the console is a four-step process:

  • Step 1 – Configure general file system settings, including the storage class and throughput mode.

  • Step 2 – Configure file system network settings, including the virtual private cloud (VPC) and mount targets. For each mount target, set the Availability Zone, subnet, IP address, and security groups.

  • Step 3 – (Optional) Create a file system policy to control NFS client access to the file system.

  • Step 4 – Review the file system settings, make any changes, and then create the file system.

Step 1: Configure file system settings
  1. Sign in to the AWS Management Console and open the Amazon EFS console at https://console.aws.amazon.com/efs/.

  2. Choose Create file system to open the Create file system dialog box.

    
              Create file system dialog box showing the optional file
                system name and default VPC, with the Customize and
                  Create buttons.
  3. Choose Customize to create a customized file system instead of creating a file system by using the service-recommended settings. The File system settings page opens.

    
              Step 1 in creating an EFS file system by using the File system
                  settings page in the EFS console.
  4. For General settings, do the following.

    1. (Optional) Enter a Name for the file system.

    2. For Storage class, choose one of the following:

      • Choose Standard to create a file system that uses the EFS Standard and EFS Standard-Infrequent Access (IA) storage classes. The EFS Standard storage classes store file system data and metadata redundantly across all Availability Zones within an AWS Region. Standard offers the highest levels of availability and durability.

      • Choose One Zone to create a file system that uses the EFS One Zone and EFS One Zone-Infrequent Access (IA) storage classes. The EFS One Zone storage classes store file system data and metadata redundantly within a single Availability Zone.

        If you choose One Zone, choose the Availability Zone that you want the file system created in, or keep the default setting. For more information, see EFS storage classes.

    3. Automatic backups are turned on by default. You can turn off automatic backups by clearing the check box. For more information, see Backing up your Amazon EFS file systems.

    4. For Lifecycle management, the default policy sets Transition into IA to 30 days after last access and Transition out of IA to None. If you want want to use EFS Intelligent-Tiering, choose when to transition the file system to the Infrequent Access (IA) storage class. For more information, see Amazon EFS lifecycle management.

    5. For Encryption, encryption of data at rest is enabled by default. Amazon EFS uses your AWS Key Management Service (AWS KMS) EFS service key (aws/elasticfilesystem) by default. To choose a different KMS key to use for encryption, expand Customize encryption settings and choose a key from the list. Or, enter a KMS key ID or Amazon Resource Name (ARN) for the KMS key that you want to use.

      If you need to create a new key, choose Create an AWS KMS key to launch the AWS KMS console and create a new key.

      You can turn off encryption of data at rest by clearing the check box.

  5. For Performance settings, do the following:

    1. For Throughput mode, Elastic mode is selected by default.

      • To use Provisioned Throughput mode, choose Provisioned mode and, in Provisioned Throughput (MiB/s), enter the amount of throughput to provision for file system requests. The amount of Maximum Read Throughput is displayed at three times the amount of the throughput that you enter.

      • To use Bursting Throughput mode, chooose Bursting.

      Amazon EFS file systems meter read requests at one-third the rate of other requests. After you enter the throughput mode, an estimate of the monthly cost for the file system is shown. You can change the throughput mode after the file system becomes available.

      For more information about choosing the correct throughput mode for your performance needs, see Throughput modes.

    2. For Performance mode, the default is General Purpose.

      Note

      Not all file system configurations are supported for the Max I/O performance mode. Only file systems that use Standard storage and Provisioned or Bursting Throughput can use Max I/O performance.

      To change the performance mode, expand Additional settings, and then choose Max I/O.

      You cannot change the performance mode after the file system becomes available. For more information, see Performance modes.

  6. (Optional) Add tag key-value pairs to your file system.

  7. Choose Next to configure network access for the file system.

Step 2: Configure network access

In Step 2, you configure the file system's network settings, including the VPC and mount targets.


            Step 2 in creating an EFS file system, configuring network settings by using the
              Amazon EFS console.
  1. Choose the Virtual Private Cloud (VPC) where you want EC2 instances to connect to your file system. For more information, see Managing file system network accessibility.

  2. For Mount targets, you create one or more mount targets for your file system. For each mount target, set the following properties:

    • Availability Zone – By default, a mount target is configured in each Availability Zone in an AWS Region. If you don't want a mount target in a particular Availability Zone, choose Remove to delete the mount target for that zone. Create a mount target in every Availability Zone that you plan to access your file system from – there is no cost to do so.

    • Subnet ID – Choose from the available subnets in an Availability Zone. The default subnet is preselected.

    • IP Address – By default, Amazon EFS chooses the IP address automatically from the available addresses in the subnet. Or, you can enter a specific IP address that's in the subnet. Although mount targets have a single IP address, they are redundant, highly available network resources.

    • Security groups – You can specify one or more security groups for the mount target. For more information, see Using VPC security groups for Amazon EC2 instances and mount targets.

      To add another security group, or to change the security group, choose Choose security groups and add another security group from the list. If you don't want to use the default security group, you can delete it. For more information, see Creating security groups.

  3. Choose Add mount target to create a mount target for an Availability Zone that doesn't have one. If a mount target is configured for each Availability Zone, this choice is not available.

  4. Choose Next to set the file system policy.

Step 3: Create a file system policy (optional)

Optionally, you can create a file system policy for your file system. An EFS file system policy is an IAM resource policy that you use to control NFS client access to the file system. For more information, see Using IAM to control file system data access.


            Step 3 in creating an EFS file system, optionally creating a file system
              policy.
  1. In Policy options, you can choose any combination of the available preconfigured policies:

    • Prevent root access by default

    • Enforce read-only access by default

    • Enforce in-transit encryption for all clients

  2. Use the Policy editor to customize a preconfigured policy or to create your own policy. When you choose one of the preconfigured policies, the JSON policy definition appears in the policy editor. You can edit the JSON to create a policy of your choice. To undo your changes, choose Clear.

    The preconfigured policies become available once again in Policy options.

  3. Choose Next to review and create the file system.

Step 4: Review and create
  1. Review each of the file system configuration groups. You can make changes to each group at this time by choosing Edit.

  2. Choose Create to create your file system and return to the File systems page.

    A banner across the top shows that the new file system is being created. A link to access the new file system details page appears in the banner when the file system becomes available.

Creating a file system by using the AWS CLI

When you're using the AWS CLI, you create these resources in order. First, you create a file system. Then, you can create mount targets and any additional optional tags for the file system by using corresponding AWS CLI commands.

The following examples use adminuser for the --profile parameter values. You must use an appropriate user profile to provide your credentials. For information about the AWS CLI, see Installing the AWS CLI in the AWS Command Line Interface User Guide.

  • To create an encrypted file system that uses the EFS Standard storage classes, with automatic backups enabled, use the Amazon EFS create-file-system CLI command (the corresponding operation is CreateFileSystem), as shown following.

    aws efs create-file-system \ --creation-token creation-token \ --encrypted \ --backup \ --performance-mode generalPurpose \ --throughput-mode bursting \ --region aws-region \ --tags Key=key,Value=value Key=key1,Value=value1 \ --profile adminuser

    For example, the following create-file-system command creates a file system in the us-west-2 AWS Region. The command specifies MyFirstFS as the creation token. For a list of AWS Regions where you can create an Amazon EFS file system, see the Amazon Web Services General Reference.

    aws efs create-file-system \ --creation-token MyFirstFS \ --backup \ --encrypted \ --performance-mode generalPurpose \ --throughput-mode bursting \ --region us-west-2 \ --tags Key=Name,Value="Test File System" Key=developer,Value=rhoward \ --profile adminuser

    After successfully creating the file system, Amazon EFS returns the file system description as JSON, as shown in the following example.

    { "OwnerId": "123456789abcd", "CreationToken": "MyFirstFS", "Encrypted": true, "FileSystemId": "fs-c7a0456e", "CreationTime": 1422823614.0, "LifeCycleState": "creating", "Name": "Test File System", "NumberOfMountTargets": 0, "SizeInBytes": { "Value": 6144, "ValueInIA": 0, "ValueInStandard": 6144 }, "PerformanceMode": "generalPurpose", "ThroughputMode": "bursting", "Tags": [ { "Key": "Name", "Value": "Test File System" } ] }
  • The following example creates a file system that uses One Zone storage classes in the us-west-2a Availability Zone by using the availability-zone-name property.

    aws efs create-file-system \ --creation-token MyFirstFS \ --availability-zone-name us-west-2a \ --backup \ --encrypted \ --performance-mode generalPurpose \ --throughput-mode bursting \ --region us-west-2 \ --tags Key=Name,Value="Test File System" Key=developer,Value=rhoward \ --profile adminuser

    After successfully creating the file system, Amazon EFS returns the file system description as JSON, as shown in the following example.

    { "AvailabilityZoneId": "usw-az1", "AvailabilityZoneName": "us-west-2a", "OwnerId": "123456789abcd", "CreationToken": "MyFirstFS", "Encrypted": true, "FileSystemId": "fs-c7a0456e", "CreationTime": 1422823614.0, "LifeCycleState": "creating", "Name": "Test File System", "NumberOfMountTargets": 0, "SizeInBytes": { "Value": 6144, "ValueInIA": 0, "ValueInStandard": 6144 }, "PerformanceMode": "generalPurpose", "ThroughputMode": "bursting", "Tags": [ { "Key": "Name", "Value": "Test File System" } ] }

    Amazon EFS also provides the describe-file-systems CLI command (the corresponding API operation is DescribeFileSystems), which you can use to retrieve a list of file systems in your account, as shown following.

    aws efs describe-file-systems \ --region aws-region \ --profile adminuser

    Amazon EFS returns a list of the file systems in your AWS account created in the specified Region.